In Microsoft Azure, Azure AD is the identity governance and administration layer that is used to manage access to resources such as instances of virtual machines, databases, applications, APIs, websites, etc. This identity layer is the control plane that helps protect your resources from intruders.
In this paper, we describe the architectures and best practices for implementing identity and access management across separate Azure environments. Not all organizations need to run separate environments. This document will help you understand if this configuration is appropriate for your organization.